Application Gateway Configuration
Learn how to configure your Azure Application Gateway for robust web application delivery.
Configuring Azure Application Gateway
Azure Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications. This document provides a comprehensive guide to configuring its various components.
Core Components of Configuration
Understanding the fundamental building blocks is key to successful configuration. These include:
- Frontend IP Configuration: Defines the IP address(es) that Application Gateway listens on.
- Listener: Binds a port, protocol (HTTP/HTTPS), host name, and certificate (for HTTPS) to a frontend IP configuration.
- Backend Pool: A group of backend servers that Application Gateway forwards requests to.
- HTTP Settings: Define how Application Gateway forwards requests to the backend pool, including protocol, port, and cookie-based affinity.
- Request Routing Rules: Link a listener to a backend pool and HTTP settings to define how traffic is routed.
Key Configuration Scenarios
1. Basic Load Balancing
This is the most common scenario, where Application Gateway distributes incoming HTTP(S) traffic across multiple backend servers.
Steps:
- Create an Application Gateway instance.
- Configure a Frontend IP Configuration (public or private).
- Set up a Listener for HTTP (port 80) or HTTPS (port 443).
- Define your Backend Pool with the IP addresses or FQDNs of your web servers.
- Create HTTP Settings specifying backend port and protocol.
- Establish a Request Routing Rule connecting the listener to the backend pool and HTTP settings.
2. SSL/TLS Termination
Application Gateway can decrypt incoming HTTPS traffic, relieving backend servers from SSL/TLS overhead.
Steps:
- Ensure your Listener is configured for HTTPS (port 443).
- Upload an SSL certificate (PFX format) or reference a certificate stored in Azure Key Vault.
- Configure HTTP Settings to specify whether to communicate with backend servers over HTTP or HTTPS.
3. Web Application Firewall (WAF)
Protect your web applications from common web exploits with Azure WAF integrated with Application Gateway.
Configuration:
- Deploy an Application Gateway with WAF enabled (WAF_v2 SKU).
- Choose between OWASP CRS rule sets (managed or custom).
- Configure WAF modes: Prevention (blocks malicious requests) or Detection (logs malicious requests).
- Customize WAF rules for specific application needs.
4. Path-Based Request Routing
Route requests to different backend pools based on the URL path.
Configuration:
- Create multiple Backend Pools for different application components.
- Define multiple HTTP Settings if required for different backend pools.
- Create Path-Based Request Routing Rules that link a listener to a default backend pool and specify path patterns to route traffic to other backend pools.
// Example configuration snippet (conceptual)
Listener: "appgateway-listener"
Default Backend Pool: "web-app-pool"
Rules:
- Path: "/api/*" -> Backend Pool: "api-service-pool"
- Path: "/images/*" -> Backend Pool: "static-content-pool"
5. Cookie-Based Affinity (Sticky Sessions)
Ensure that requests from a specific client are consistently sent to the same backend server.
Configuration:
- Enable Cookie-based affinity in the HTTP Settings.
Advanced Configuration Options
- Health Probes: Define how Application Gateway checks the health of backend servers.
- Redirection Rules: Redirect traffic from one URL to another (e.g., HTTP to HTTPS).
- Rewrite Rules: Modify request and response headers or URL paths.
- Custom Error Pages: Configure custom error responses for specific HTTP status codes.